Symantec NetBackup 7 and firewalls
Have you ever been frustrated over network communication issues when deploying NetBackup in heavily segmented or protected network environments? If you say yes, then please read on, perhaps there is some information below that could make your life easier. And, if you say no; wow, lucky bastard! :-)
NetBackup depends on the network in order to be able to send control traffic as well as the backup/restore traffic over the LAN/SAN. In secured environments it is generally very complicated and time-consuming to find where the problem lies. Many companies use firewalls or access-lists in the routers/switches to control from, to, and how, and if the ports required for NetBackup are blocked, then you will have a problem.
Symantec has released a document on ports used, but reading it is somewhat difficult, so I thought I should put it all in table form, and in a format that could be used to send to the security administrator or used in the change request system.
Primarily, all communication use TCP at protocol, the exception being Granular Restore Technology (GRT) restores, where the UDP protocol is used for the NFS traffic. This is not covered in this article.
So we will start with the default ports as most environments do not change the ports, then followed by each tier.
|VNETD||13724||NetBackup Network daemon.|
|VERITAS_PBX||1556||VxPBX Symantec Private Branch Exchange Service|
|VRTS-AT-PORT||2821||VxAT Symantec authentication service|
|VRTS-AUTH-PORT||4032||VxAZ Symantec Authorization Service|
|BPCD||13782||NetBackup Connection Daemon|
|PDDE_CR||10082||PureDisk Content Router|
|BPRD||13720||NetBackup Request Daemon|
These eight ports are the primary ports used in almost all NetBackup environments using at least version 6.0. Support for 5.x clients and servers is very limited in NetBackup 7, as the main application communication protocols has changed as of version 6.0.
The master server needs to be able to communicate will all tiers, such as the media servers, EMM server, VxSS server, clients, as well as servers where the Java or Administration console is running. Following minimum ports are required;
The media servers must be able to communicate with the master server and EMM server and obviously the clients. In secure environments the VxSS server is also required. In backup and restore operations it is primarily the media server that communicates with the clients.
The Enterprise Media Manager server (EMM) is the central database for media information as well as many new features in 6.x and 7.0. The EMM server is in almost all cases installed on the master server, but for huge environments or in shared media environments, the EMM server may be a separate server.
The client requires access to the master server for scanning of backups as well as initiating user or archive operations. The client must also be able to connect to the media servers when connect-back backup types such as Oracle and SQL backup is used. When using client side de-duplication, the client must also be able to communicate with the PDDE media servers or all servers in a PureDisk Storage Pool, including the Storage Pool Authority (SPA), and Content Routers (CR). In secure enviroments, the clients must also be able to authenticate against the VxSS server.
If there are any NetWare servers being backed up, following ports must be open;
If you are using the Windows Administration console which is native Windows application, you first have to add the DNS name of the workstation or server to the list of "trusted" servers in the master server. After that, following ports must be open;
|Admin Console||VxSS server||VRTS-AT-PORT||2821|
The Java server is the process running on the master server when you connect using the Java Administration Console. It needs to be able to communicate with all the core components.
|Java Server||VxSS server||VRTS-AT-PORT||2821|
Many use the Java Console instead of the Windows native Administration Console, and as it uses the Java Server for further communication, it only requires below ports;
|Java Console||Java Server||VNETD||13724|
It is my belief that having the core ports used by NetBackup in tabular form does make it easier to communicate the requirements to the network team, so they can carry out the necessary changes to the network.